{"@ID": "413", "@Name": "Improper Resource Locking", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.", "Extended_Description": "When a resource is not properly locked, an attacker could modify the resource while it is being operated on by the product. This might violate the product's assumption that the resource will not change, potentially leading to unexpected behaviors.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "667", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Integrity", "Availability"], "Impact": ["Modify Application Data", "DoS: Instability", "DoS: Crash, Exit, or Restart"]}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Use a non-conflicting privilege scheme."}, {"Phase": ["Architecture and Design", "Implementation"], "Description": "Use synchronization when locking a resource."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-24", "Intro_Text": "The following function attempts to acquire a lock in order to perform operations on a shared resource.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "/* access shared resource */", "#text": "pthread_mutex_lock(mutex);\n                           \n                           \n                           \n                           \n                           pthread_mutex_unlock(mutex);"}}, "#text": "void f(pthread_mutex_t *mutex) {}"}}, {"@Nature": "Good", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "return result;"}, "xhtml:i": "/* access shared resource */", "#text": "int result;\n                           result = pthread_mutex_lock(mutex);if (0 != result)\n                           \n                           \n                           \n                           \n                           \n                           return pthread_mutex_unlock(mutex);"}}, "#text": "int f(pthread_mutex_t *mutex) {}"}}], "Body_Text": ["However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.", "In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting them to higher levels."]}, {"Intro_Text": "This Java example shows a simple BankAccount class with deposit and withdraw methods.", "Example_Code": [{"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": ["// variable for bank account balance", "// constructor for BankAccount", "// method to deposit amount into BankAccount", "// method to withdraw amount from BankAccount", "// other methods for accessing the BankAccount object"], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "accountBalance = 0;"}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "#text": "double newBalance = accountBalance + depositAmount;accountBalance = newBalance;"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "#text": "double newBalance = accountBalance - withdrawAmount;accountBalance = newBalance;"}}], "#text": "private double accountBalance;\n                           \n                           \n                           public BankAccount() {}\n                           \n                           \n                           public void deposit(double depositAmount) {}\n                           \n                           \n                           public void withdraw(double withdrawAmount) {}\n                           \n                           \n                           ..."}}, "#text": "public class BankAccount {}"}}, {"@Nature": "Good", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null], "xhtml:i": ["// synchronized method to deposit amount into BankAccount", "// synchronized method to withdraw amount from BankAccount"], "xhtml:div": [{"@style": "margin-left:1em;", "#text": "..."}, {"@style": "margin-left:1em;", "#text": "..."}], "#text": "...\n                           \n                           public synchronized void deposit(double depositAmount) {}\n                           \n                           \n                           public synchronized void withdraw(double withdrawAmount) {}\n                           ..."}}, "#text": "public class BankAccount {}"}}, {"@Nature": "Good", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": ["// lock object for thread access to methods", "// condition object to temporarily release lock to other threads", "// method to deposit amount into BankAccount", "// method to withdraw amount from bank account"], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": "// set lock to block access to BankAccount from other threads", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "// inform other threads that funds are available", "#text": "double newBalance = balance + amount;balance = newBalance;\n                                       \n                                       \n                                       sufficientFundsCondition.signalAll();"}}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "// unlock lock objectbalanceChangeLock.unlock();"}], "#text": "balanceChangeLock.lock();try {} catch (Exception e) {...}finally {}"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": "// set lock to block access to BankAccount from other threads", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": ["// temporarily unblock access", "// until sufficient funds are available"], "#text": "sufficientFundsCondition.await();"}}, "xhtml:br": [null, null, null], "#text": "while (balance < amount) {}double newBalance = balance - amount;balance = newBalance;"}}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "// unlock lock objectbalanceChangeLock.unlock();"}], "#text": "balanceChangeLock.lock();try {} catch (Exception e) {...}finally {}"}}], "#text": "...\n                           \n                           private ReentrantLock balanceChangeLock;\n                           \n                           \n                           private Condition sufficientFundsCondition;\n                           \n                           \n                           public void deposit(double amount) {}\n                           \n                           \n                           public void withdraw(double amount) {}..."}}, "#text": "public class BankAccount {}"}}], "Body_Text": ["However, the deposit and withdraw methods have shared access to the account balance private class variable. This can result in a race condition if multiple threads attempt to call the deposit and withdraw methods simultaneously where the account balance is modified by one thread before another thread has completed modifying the account balance. For example, if a thread attempts to withdraw funds using the withdraw method before another thread that is depositing funds using the deposit method completes the deposit then there may not be sufficient funds for the withdraw transaction.", "To prevent multiple threads from having simultaneous access to the account balance variable the deposit and withdraw methods should be synchronized using the synchronized modifier.", "An alternative solution is to use a lock object to ensure exclusive access to the bank account balance variable. As shown below, the deposit and withdraw methods use the lock object to set a lock to block access to the BankAccount object from other threads until the method has completed updating the bank account balance variable."]}]}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2022-20141", "Description": "Chain: an operating system kernel has insufficent resource locking (CWE-413) leading to a use after free (CWE-416).", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-20141"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Insufficient Resource Locking"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "VNA00-J", "Entry_Name": "Ensure visibility when accessing shared primitive variables"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "VNA02-J", "Entry_Name": "Ensure that compound operations on shared variables are atomic"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "LCK00-J", "Entry_Name": "Use private final lock objects to synchronize classes that may interact with untrusted code"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP19", "Entry_Name": "Missing Lock"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Martin Sebor", "Contribution_Organization": "Cisco Systems, Inc.", "Contribution_Date": "2010-04-30", "Contribution_Comment": "Provided Demonstrative Example"}, "Previous_Entry_Name": {"@Date": "2010-09-27", "#text": "Insufficient Resource Locking"}}}
